PCI DSS 4.0.1 Self-Assessment Checklist
This document provides a QSA-ready self-assessment mapping Gatelithix Gateway controls to PCI DSS 4.0.1 requirements. For detailed evidence and deployed verification commands, see PCI Verification Evidence.
Scope
| Property | Value |
|---|---|
| Assessment Type | SAQ-D Service Provider (subset) |
| CDE Boundary | PCI VPC (10.1.0.0/20) + Vault Cloud Run service |
| In-Scope Requirements | 1, 3, 4, 6, 7, 8, 10, 11 |
| Out-of-Scope Requirements | 2 (vendor defaults — Cloud Run managed), 5 (malware — serverless), 9 (physical security — GCP responsibility), 12 (security policies — organizational) |
| Cardholder Data Types | PAN (encrypted at rest via Cloud KMS HSM) |
| PAN Storage | PCI Cloud SQL database, encrypted with HSM-backed keys |
| PAN Transmission | Internal HTTPS only (VPC peering, no public internet transit) |
| Service Provider Level | Level 1 posture (designed from day 1) |
Assessment Summary
Requirement 1: Install and Maintain Network Security Controls
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 1.2.1 | Network segmentation controls | Terraform | infra/terraform/modules/vpc/main.tf — deny_all_ingress and deny_all_egress at priority 65534 | Verified |
| 1.3.1 | Inbound traffic to CDE restricted | Terraform | infra/terraform/pci/network.tf — allow_core_to_pci (TCP 443, source 10.0.0.0/20) | Verified |
| 1.3.2 | Outbound traffic from CDE restricted | Terraform | infra/terraform/pci/network.tf — allow_psp_egress (TCP 443), allow_restricted_apis_egress (TCP 443, dest 199.36.153.4/30) | Verified |
| 1.4.1 | No direct internet access to CDE | Terraform | infra/terraform/pci/cloudrun.tf — INGRESS_TRAFFIC_INTERNAL_ONLY | Verified |
| 1.3.x | Migration pipeline CDE isolation | Terraform + CI/CD | Migration Cloud Run Jobs run inside VPC via connectors (core-vpc-connector, pci-vpc-connector). PCI migration images stored in PCI-only Artifact Registry. No cross-CDE image dependencies. | Verified |
Requirement 3: Protect Stored Account Data
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 3.5.1 | PAN encrypted with strong cryptography | Terraform | infra/terraform/pci/kms.tf — pan_encryption_key, HSM protection, AES-256 symmetric | Verified |
| 3.5.1.1 | PAN fingerprint uses keyed hash | Terraform | infra/terraform/pci/kms.tf — pan_fingerprint_key, HMAC_SHA256, HSM protection | Verified |
| 3.6.1 | Cryptographic key management | Terraform | infra/terraform/pci/kms.tf — 90-day auto-rotation, prevent_destroy lifecycle | Verified |
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 4.2.1 | PAN encrypted during transmission | Architecture | VPC peering (private network) + TCP 443 only firewall rules. No public internet transit for PAN. | Verified |
| 4.2.1.1 | Trusted certificates used | Cloud Run | Google-managed TLS certificates on all Cloud Run services. Internal calls use identity tokens + HTTPS. | Verified |
Requirement 6: Develop and Maintain Secure Systems and Software
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 6.3.2 | Custom software reviewed before release | CI/CD | .github/workflows/ci.yml — gosec static analysis, Trivy container scan, Go test suite | Verified |
| 6.5.1 | Change control for system components | CI/CD + Terraform | Automated migration pipeline: schema changes applied via goose with DDL-only validation. Migration files contain only CREATE TABLE/ALTER TABLE — no SELECT/INSERT/UPDATE/DELETE of cardholder data. Verified by CI migration validation job. | Verified |
| 6.5.2 | Least-privilege for migration execution | Terraform | Core migrations run as gateway-sa, PCI migrations run as vault-sa. Credentials injected from Secret Manager at runtime — never baked into images. | Verified |
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 7.2.1 | Access based on need to know | Terraform | infra/terraform/pci/kms.tf — KMS IAM restricted to vault_sa_email only | Verified |
| 7.2.2 | Privileges assigned by function | Terraform | Separate SAs: gateway_sa, vault_sa, connector_sa with role-specific IAM bindings | Verified |
| 7.2.3 | Default deny all | Terraform | modules/vpc/main.tf — deny-all baseline. Cloud Run IAM requires explicit invoker grants. | Verified |
Requirement 8: Identify Users and Authenticate Access to System Components
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 8.3.1 | MFA for CDE access | Configuration | Auth0 tenant MFA policy (Guardian + TOTP) for merchant portal admin access | Verified |
| 8.3.2 | Strong cryptography for authentication | Code | JWT validation (RS256 via JWKS). API keys hashed with SHA-256. | Verified |
| 8.4.2 | MFA for remote CDE access | Configuration | GCP IAM organization policy requires MFA for console and API access | Verified |
| 8.6.1 | Service accounts least privilege | Terraform | Per-service SAs, no wildcard roles, no SA key files (workload identity) | Verified |
Requirement 9: Restrict Physical Access to Cardholder Data
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 9.x | Physical security | N/A | Skipped — GCP responsibility. Google Cloud data centers hold SOC 2 Type II and PCI DSS certifications. Gatelithix runs entirely on Cloud Run (serverless). | GCP |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 10.2.1 | Audit logs enabled | Terraform | infra/terraform/pci/logging.tf — pci_audit_sink captures cloudaudit.googleapis.com logs | Verified |
| 10.3.3 | Audit logs tamper-proof | Terraform | infra/terraform/pci/logging.tf — locked = true on logging bucket | Verified |
| 10.5.1 | Audit log retention >= 12 months | Terraform | infra/terraform/pci/logging.tf — 365-day retention (logging bucket) + 365-day locked retention (storage archive) | Verified |
| 10.6.3 | Audit log archival | Terraform | infra/terraform/pci/logging.tf — NEARLINE storage bucket with versioning, locked retention, pci_audit_archive_sink | Verified |
| 10.2.x | Migration execution audit trail | CI/CD + Cloud Run | Every migration execution is logged in Cloud Run Job execution history and Cloud Logging with full traceability to the triggering commit SHA. Job success/failure visible via gcloud run jobs executions list. | Verified |
Requirement 11: Test Security of Systems and Networks Regularly
| PCI Control | Requirement | Evidence Type | Evidence Location | Status |
|---|---|---|---|---|
| 11.3.1 | Internal vulnerability scans | CI/CD | .github/workflows/ci.yml — gosec static analysis on every PR | Verified |
| 11.3.2 | External vulnerability scans | CI/CD | .github/workflows/ci.yml — Trivy container scan (HIGH+CRITICAL severity, exit-code 1) | Verified |
| 11.6.1 | Change detection on payment pages | N/A | Not applicable — API-only service, no hosted payment pages | N/A |
Verification Procedures
For each control marked Verified above, the PCI Verification Evidence page provides:
- Exact Terraform resource references with file paths and attribute values
gcloudcommands to verify deployed infrastructure matches the Terraform configuration- Expected command output for each verification step
Assessment Notes
-
Req 9 Physical Security: Explicitly skipped per GCP shared responsibility model. Google Cloud maintains physical security controls for all data center facilities. Reference: Google Cloud Compliance .
-
Req 11.6.1 Payment Page Integrity: Not applicable. Gatelithix Gateway is a backend API service. Merchants integrate via REST API and client SDKs. No payment pages are hosted by the gateway.
-
PSP Egress Scope: The
allow_psp_egressfirewall rule currently allows broad TCP 443 egress (0.0.0.0/0). A future hardening task will narrow this to specific PSP IP ranges (Stripe, NMI, FluidPay). -
MFA Verification: Auth0 MFA configuration and GCP IAM MFA policies are verified through administrative console review, not Terraform. These are organizational controls maintained by the security team.